Widget Descriptions

Widget Descriptions

Each tab on the ACC includes a different set of widgets.

Widget

Description

Network Activity—Displays
an overview of traffic and user activity on your network.

Application Usage

The table displays the top ten applications
used on your network, all the remaining applications used on the
network are aggregated and displayed as other. The graph displays
all applications by application category, sub category, and application.
Use this widget to scan for applications being used on the network,
it informs you about the predominant applications using bandwidth,
session count, file transfers, triggering the most threats, and
accessing URLs.

Sort attributes: bytes, sessions, threats,
content, URLs

Charts available: treemap, area, column, line
(the charts vary by the sort by attribute selected)

User Activity

Displays the top ten most active users on
the network who have generated the largest volume of traffic and
consumed network resources to obtain content. Use this widget to
monitor top users on usage sorted on bytes, sessions, threats, content
(files and patterns), and URLs visited.

Sort attributes: bytes,
sessions, threats, content, URLs

Charts available: area, column,
line (the charts vary by the sort by attribute selected)

Source IP Activity

Displays the top ten IP addresses or hostnames
of the devices that have initiated activity on the network. All
other devices are aggregated and displayed as other.

Sort
attributes: bytes, sessions, threats, content, URLs

Charts
available: area, column, line (the charts vary by the sort by attribute
selected)

Destination IP Activity

Displays the IP addresses or hostnames of
the top ten destinations that were accessed by users on the network.

Sort
attributes: bytes, sessions, threats, content, URLs

Charts
available: area, column, line (the charts vary by the sort by attribute
selected)

Source Regions

Displays the top ten regions (built-in or
custom defined regions) around the world from where users initiated
activity on your network.

Sort attributes: bytes, sessions,
threats, content, URLs

Charts available: map, bar

Destination Regions

Displays the top ten destination regions
(built-in or custom defined regions) on the world map from where
content is being accessed by users on the network.

Sort attributes:
bytes, sessions, threats, content, URLs

Charts available:
map, bar

GlobalProtect Host Information

Displays information on the state of the hosts
on which the GlobalProtect agent is running; the host system is
a GlobalProtect endpoint. This information is sourced from entries
in the HIP match log that are generated when the data submitted
by the GlobalProtect app matches a HIP object or a HIP profile you
have defined on the firewall. If you do not have HIP Match logs,
this widget is blank. To learn how to create HIP objects and HIP
profiles and use them as policy match criteria, see Configure HIP-Based Policy Enforcement.

Sort
attributes: profiles, objects, operating systems

Charts available:
bar

Rule Usage

Displays the top ten rules that have allowed
the most traffic on the network. Use this widget to view the most
commonly used rules, monitor the usage patterns, and to assess whether
the rules are effective in securing your network.

Sort attributes:
bytes, sessions, threats, content, URLs

Charts available:
line

Ingress Interfaces

Displays the firewall interfaces that are
most used for allowing traffic into the network.

Sort attributes:
bytes, bytes sent, bytes received

Charts available: line

Egress Interfaces

Displays the firewall interfaces that are
most used by traffic exiting the network.

Sort attributes:
bytes, bytes sent, bytes received

Charts available: line

Source Zones

Displays the zones that are most used for
allowing traffic into the network.

Sort attributes: bytes,
sessions, threats, content, URLs

Charts available: line

Destination Zones

Displays the zones that are most used by
traffic going outside the network.

Sort attributes: bytes,
sessions, threats, content, URLs

Charts available: line

Threat Activity—Displays
an overview of the threats on the network

Compromised Hosts

Displays the hosts that are likely compromised
on your network. This widget summarizes the events from the correlation
logs. For each source user/IP address, it includes the correlation
object that triggered the match and the match count, which is aggregated
from the match evidence collated in the correlated events logs.
For details see Use
the Automated Correlation Engine.

Available on the
PA-3000 Series, PA-5000 Series, PA-5200 Series, PA-7000 Series,
and Panorama.

Sort attributes: severity (by default)

Hosts Visiting Malicious URLs

Displays the frequency with which hosts
(IP address/hostnames) on your network have accessed malicious URLs.
These URLs are known to be malware based on categorization in PAN-DB.

Sort
attributes: count

Charts available: line

Hosts Resolving Malicious Domains

Displays the top hosts matching DNS signatures;
hosts on the network that are attempting to resolve the hostname
or domain of a malicious URL. This information is gathered from
an analysis of the DNS activity on your network. It utilizes passive
DNS monitoring, DNS traffic generated on the network, activity seen
in the sandbox if you have configured DNS sinkhole on the firewall,
and DNS reports on malicious DNS sources that are available to Palo
Alto Networks customers.

Sort attributes: count

Charts
available: line

Threat Activity

Displays the threats seen on your network.
This information is based on signature matches in Antivirus, Anti-Spyware,
and Vulnerability Protection profiles and viruses reported by WildFire.

Sort
attributes: threats

Charts available: bar, area, column

WildFire Activity by Application

Displays the applications that generated
the most WildFire submissions. This widget uses the malicious and
benign verdict from the WildFire Submissions log.

Sort attributes:
malicious, benign

Charts available: bar, line

WildFire Activity by File Type

Displays the threat vector by file type.
This widget displays the file types that generated the most WildFire
submissions and uses the malicious and benign verdict from the WildFire
Submissions log. If this data is unavailable, the widget is empty.

Sort
attributes: malicious, benign

Charts available: bar, line

Applications using Non Standard
Ports

Displays the applications that are entering
your network on non-standard ports. If you have migrated your firewall
rules from a port-based firewall, use this information to craft
policy rules that allow traffic only on the default port for the
application. Where needed, make an exception to allow traffic on
a non-standard port or create a custom application.

Sort attributes:
bytes, sessions, threats, content, URLs

Charts available:
treemap, line

Rules Allowing Applications On Non
Standard Ports

Displays the security policy rules that
allow applications on non-default ports. The graph displays all
the rules, while the table displays the top ten rules and aggregates
the data from the remaining rules as other.

This information
helps you identify gaps in network security by allowing you to assess
whether an application is hopping ports or sneaking into your network.
For example, you can validate whether you have a rule that allows
traffic on any port except the default port for the application.
Say for example, you have a rule that allow DNS traffic on its application-default port
(port 53 is the standard port for DNS). This widget will display
any rule that allows DNS traffic into your network on any port except
port 53.

Sort attributes: bytes, sessions, threats, content,
URLs

Charts available: treemap, line

Blocked Activity—Focuses
on traffic that was prevented from coming into the network

Blocked Application Activity

Displays the applications that were denied
on your network, and allows you to view the threats, content, and
URLs that you kept out of your network.

Sort attributes: threats,
content, URLs

Charts available: treemap, area, column

Blocked User Activity

Displays user requests that were blocked
by a match on an Antivirus, Anti-spyware, File Blocking or URL Filtering
profile attached to Security policy rule.

Sort attributes:
threats, content, URLs

Charts available: bar, area, column

Blocked Threats

Displays the threats that were successfully
denied on your network. These threats were matched on antivirus
signatures, vulnerability signatures, and DNS signatures available
through the dynamic content updates on the firewall.

Sort
attributes: threats

Charts available: bar, area, column

Blocked Content

Displays the files and data that was blocked
from entering the network. The content was blocked because security
policy denied access based on criteria defined in a File Blocking
security profile or a Data Filtering security profile.

Sort
attributes: files, data

Charts available: bar, area, column

Security Policies Blocking Activity

Displays the security policy rules that
blocked or restricted traffic into your network. Because this widget displays
the threats, content, and URLs that were denied access into your
network, you can use it to assess the effectiveness of your policy
rules. This widget does not display traffic that blocked because
of deny rules that you have defined in policy.